Network Flow Analysis: a review

Michael Lucas sent me a copy of his newest book, Network Flow Analysis, on the grounds that I read it and write what I thought. While book reviews aren’t usual fare for this site, it’s appealing to write something different from my usual brief summaries.

The result of this is a pleasing acknowledgement of Unix-like operating systems (i.e. BSD) in the book, which is different than the “If it’s not Windows, it must be Linux – using Bash” common in most tech books.

The book: I had initially expected to read a sort of agglomeration of tips; tools like Cacti or Munin for monitoring hardware; Wireshark or tcpdump for monitoring traffic, and so on. Instead, it goes very specifically into Netflow. Producing Netflow data, saving it, and making sense of it are the majority of the book.

People administering any sort of larger network, usually as part of the day job, are the target audience. Netflow appears to be supported by many network equipment vendors, and software tools exist to read it on *BSD.

(For the uninitiated, Netflow tracks network activity in terms of protocol, port, and so on – everything short of the actual data. It can describe what was happening at any point in time between hosts on a tracked network.)

As described in the book, it’s useful for both tracking down active issues and for analyzing the health of a network that otherwise could be hidden by averaged graphs, or seen only by direct reads at the problem site. The book covers the protocol and various tools involved with it, and branches off into other related topics, like the use of gnuplot to create ad-hoc representations.

The reading: The book is enjoyable, with a touch of a conspiratorial Bastard Operator From Hell-like attitude between the author and the reader. It’s a directed narrative going through install, analysis, and reporting, different enough from a man page review that there’s value in proceeding from chapter to chapter. There’s also enough detail in the center of the book that it can serve as a reference source for Netflow collector setup.

It was valuable enough that I found myself planning ways to implement this at my workplace. Remarkable, considering how dry network analysis can be.